Setting Up an SSH Bastion Host - Ezeelogin - 0 views

started by Ezeelogin on 19 Apr 22

#1 Ezeelogin on 19 Apr 22
Bastion Host Introduction

In recent times, there is an increasing need for organizations to give employees access to their IT facilities due to the ongoing Covid restrictions ( such as work from home ) in place and in other cases grant access to external parties like clients, vendors who want to troubleshoot and fix issues with the IT infrastructure remotely.

More so, is the need for multiple manage SSH access to the company’s Linux servers, Routers, and Switches, while meeting regulatory and security compliance.

This need led to the emergence of the SSH Bastion host concept.

It is a secure intermediary server where all your system administrators would log in first via SSH before getting to access the remote devices such as Linux instances, Routers, Switches, etc. The purpose of having the SSH bastion host is to improve security and consolidate SSH user activities to a single point hence better security and accountability. SSH Jump bastion host is also known by the name SSH Jump Box, SSH Jump Host & SSH Gateway.

What is SSH Bastion Host?

An SSH Bastion host is simply a single, hardened server that you “jump” through in order to access other servers or devices on the inner network.

Sometimes called an SSH Jump host, or SSH Jump server ssh gateway, or a relay host, it’s simply a server that all of your users can log into and use as a relay server to connect to other Linux servers, Routers, Switches, and more. Therefore, a jump server is a server inside a secure zone, which can be accessed from a less secure zone. It is then possible to jump from this host to greater security zones.

In other words, it is an intermediary host or an SSH gateway to a remote network, through which a connection can be made to another host in a dissimilar security zone, for example, a demilitarized zone (DMZ2). In short, it is intended to breach the gap between two security zones. This is done with the purpose of establishing a gateway to access something inside of the security zone, from the DMZ

The SSH Bastion host bridges two dissimilar security zones and offers controlled and monitored access between them.
For users accessing your secure network over the internet, the Bastion host provides a highly secured and monitored environment especially when it spans a private network and a DMZ with servers providing services to users on the internet.

Furthermore, a classic scenario is connecting from your desktop or laptop from inside your company’s internal network, which is highly secured with firewalls to a DMZ. In order to easily manage a server in a DMZ, you may access it via a bastion host.

Therefore, a bastion host is a server inside a secure zone, which can be accessed from a less secure zone. It is then possible to jump from this host to greater security zones. An example would be a high-security zone inside a corporation. The policy guide states that this zone cannot be accessed directly from a normal user zone. Hence, in a DMZ off the firewall protecting this zone, you have a jump host.

Connections are permitted to the ssh bastion host from the user zone, and access to the secure zone is permitted from the bastion host.

More often, there is a separate authentication method for the bastion host fortified with multi-factor authentication, Single Sign-On ( SSO ) , Radius & more.

How to Set up SSH Bastion Host Solution
Using OpenSSH
A basic ssh bastion host server with limited features and functionalities can be configured using OpenSSH packages that are available by default on most Linux distributions. In the example below, we will just use the basic ssh command line to proxy an ssh connection to the remote server via an intermediate jump server.

Why do you need an SSH Bastion Host solution to manage ssh access?

The OpenSSH-based bastion host server is clearly not enough to meet the modern-day requirements of an IT enterprise. The challenges for the enterprise are constantly changing and dynamic. One day, it could be from maintaining security, granting ssh access to the users to the designated server, and that too for a particular time, and on another day it could be the security compliances that need to be met at the time of a Linux servers infrastructure audit.

The modern-day SSH bastion host solutions are designed to address the challenges faced by an IT enterprise when it comes to security and to meet various security compliances like PCI DSS, NIST, ISO 27001, and more.

The modern-day ssh bastion host software such as Ezeelogin has the following features and more.

Identity and Access Management (IAM)

Privileged Access Management (PAM),

Role-Based Access Control to delegate access to Linux servers and network devices.

Two-factor authentication methods like Google Authenticator, Duo Security 2FA, & Yubikey in SSH.

Integrates with Windows Active Directory, OpenLDAP, Redhat IDM.

Supports SAML for Single Sign-On.

Support RADIUS Authentication to access network devices such as Routers and Switches

Password Manager

SSH key rotation,

Automated root password management

CONCLUSION

IT Enterprises that use an SSH Bastion host solution in improving the security of their critical IT asset and in meeting various mandatory security compliances (which would otherwise prove very costly in case of a breach), are more likely to succeed due to the improved operational efficiency, digital security, hence more successful business for the company’s end customers.

<div class="cArrow"> </div><div class="cContentInner"><h2>Bastion Host Introduction </h2> <br /> <div>In recent times, there is an increasing need for organizations to give employees access to their IT facilities due to the ongoing Covid restrictions ( such as work from home )  in place and in other cases grant access to external parties like clients, vendors who want to troubleshoot and fix issues with the IT infrastructure remotely.</div> <br /> <div> </div> <br /> <div>More so, is the need for multiple manage SSH access to the company’s Linux servers, Routers, and Switches, while meeting regulatory and security compliance.</div> <br /> <div> </div> <br /> <div>This need led to the emergence of the SSH <strong><a href="https://www.ezeelogin.com/blog/ssh-bastion-host/" rel="nofollow">Bastion host</a></strong> concept.</div> <br /> <div>It is a secure intermediary server where all your system administrators would log in first via SSH before getting to access the remote devices such as Linux instances, Routers, Switches, etc. The purpose of having the SSH bastion host is to improve security and consolidate SSH user activities to a single point hence better security and accountability. SSH  Jump bastion host is also known by the name SSH Jump Box, SSH Jump Host & SSH Gateway.</div> <br /> <div> </div> <br /> <h2>What is SSH Bastion Host?                             </h2> <br /> <div>An <a href="https://www.ezeelogin.com/blog/ssh-jump-server/" rel="nofollow"><strong>SSH Bastion host</strong></a> is simply a single, hardened server that you “jump” through in order to access other servers or devices on the inner network.</div> <br /> <div>Sometimes called an <a href="https://www.ezeelogin.com/blog/ssh-jump-host/" rel="nofollow"><strong>SSH Jump host</strong>,</a> or <a href="https://www.ezeelogin.com/blog/ssh-jump-server/" rel="nofollow"><strong>SSH Jump server</strong></a> ssh gateway, or a relay host, it’s simply a server that all of your users can log into and use as a relay server to connect to other Linux servers, Routers, Switches, and more. Therefore, a jump server is a server inside a secure zone, which can be accessed from a less secure zone. It is then possible to jump from this host to greater security zones.</div> <br /> <div> </div> <br /> <div>In other words, it is an intermediary host or an SSH gateway to a remote network, through which a connection can be made to another host in a dissimilar security zone, for example, a demilitarized zone (DMZ2). In short, it is intended to breach the gap between two security zones. This is done with the purpose of establishing a gateway to access something inside of the security zone, from the DMZ</div> <br /> <div> </div> <br /> <div>The SSH Bastion host bridges two dissimilar security zones and offers controlled and monitored access between them.</div> <br /> <div> </div> <br /> <div> <br /> <div>For users accessing your secure network over the internet, the Bastion host provides a highly secured and monitored environment especially when it spans a private network and a DMZ with servers providing services to users on the internet.</div> <br /> <div> </div> <br /> <div>Furthermore, a classic scenario is connecting from your desktop or laptop from inside your company’s internal network, which is highly secured with firewalls to a DMZ. In order to easily manage a server in a DMZ, you may access it via a bastion host.</div> <br /> <div> </div> <br /> <div>Therefore, a bastion host is a server inside a secure zone, which can be accessed from a less secure zone. It is then possible to jump from this host to greater security zones. An example would be a high-security zone inside a corporation. The policy guide states that this zone cannot be accessed directly from a normal user zone. Hence, in a DMZ off the firewall protecting this zone, you have a jump host.</div> <br /> <div> </div> <br /> <div>Connections are permitted to the ssh bastion host from the user zone, and access to the secure zone is permitted from the bastion host.</div> <br /> <div> </div> <br /> <div>More often, there is a separate authentication method for the bastion host fortified with multi-factor authentication, Single Sign-On ( SSO ) , Radius  & more. </div> <br /> <h2> </h2> <br /> <h2><strong>How to Set up SSH Bastion Host Solution</strong></h2> <br /> <ul> </ul><br /> <li>Using OpenSSH<br />A basic ssh bastion host server with limited features and functionalities can be configured using <a href="https://en.wikipedia.org/wiki/OpenSSH" rel="nofollow">OpenSSH</a> packages that are available by default on most Linux distributions. In the example below, we will just use the basic ssh command line to proxy an ssh connection to the remote server via an intermediate jump server.</li> <br />  <br /> <p> </p> <br /> <div class="entry-content"> <br /> <div> <br /> <h3>Why do you need an SSH Bastion Host solution to manage ssh access? </h3> <br /> <div>The OpenSSH-based bastion host server is clearly not enough to meet the modern-day requirements of an IT enterprise. The challenges for the enterprise are constantly changing and dynamic. One day, it could be from maintaining security, granting ssh access to the users to the designated server, and that too for a particular time, and on another day it could be the security compliances that need to be met at the time of a Linux servers infrastructure audit.</div> <br /> <div>The modern-day SSH  bastion host solutions are designed to address the challenges faced by an IT enterprise when it comes to security and to meet various security compliances like PCI DSS, NIST, ISO 27001, and more.</div> <br /> <div> </div> <br /> <div>The modern-day ssh bastion host software such as <a href="https://www.ezeelogin.com/blog/ssh-bastion-host/_wp_link_placeholder" data-wplink-edit="true" rel="nofollow">Ezeelogin</a> has the following features and more.</div> <br /> <ul> </ul><br /> <li>Identity and Access Management (IAM)</li> <br /> <li>Privileged Access Management (PAM),</li> <br /> <li>Role-Based Access Control to delegate access to Linux servers and network devices.</li> <br /> <li>Two-factor authentication methods like Google Authenticator, Duo Security 2FA, & Yubikey in SSH.</li> <br /> <li>Integrates with Windows Active Directory, OpenLDAP, Redhat IDM.</li> <br /> <li>Supports SAML for  Single Sign-On.</li> <br /> <li>Support RADIUS Authentication to access network devices such as Routers and Switches</li> <br /> <li>Password Manager</li> <br /> <li>SSH key rotation, </li> <br /> <li>Automated root password management</li> <br />  <br /> <h3> </h3> <br /> <h3>CONCLUSION</h3> <br /> <div>IT Enterprises that use an SSH Bastion host solution in improving the security of their critical IT asset and in meeting various mandatory security compliances  (which would otherwise prove very costly in case of a breach),  are more likely to succeed due to the improved operational efficiency, digital security, hence more successful business for the company’s end customers.</div> <br /> </div> <br /> <p> </p> <br /> </div> <br /> <footer class="entry-meta"> </footer><br /> <div class="tagcloud"><a href="https://www.ezeelogin.com/blog/tag/set-up-ssh-bastion-host-solution/" rel="nofollow">Set up SSH Bastion Host Solution</a> <a href="https://www.ezeelogin.com/blog/tag/ssh-bastion-host/" rel="nofollow">SSH Bastion Host</a> <a href="https://www.ezeelogin.com/blog/tag/ssh-jump-host/" rel="nofollow">SSH Jump host</a></div> <br />  <br /> <p><img src="https://www.diigo.com/file/image/boeqqacqzpcrrcsebbzepsqpode/SSH+with+multiple+jumps..jpg" width="842" height="711" /></p> <br /> <p> </p> <br /> <p> </p> <br /> </div></div>

Cancel

To Top